Bulletin ID: HCSEC-2026-08
Affected Products / Versions:
Vault Community Edition up to 1.21.4, fixed in 2.0.0
Vault Enterprise up to 1.21.4, 1.20.9, and 1.19.15; fixed in 2.0.0.
Publication Date: April 16th, 2026
Summary
Vault is vulnerable to a denial-of-service condition where an unauthenticated attacker can repeatedly initiate or cancel root token generation or rekey operations, occupying the single in-progress operation slot. This prevents legitimate operators from completing these workflows. This vulnerability, CVE-2026-5807, is fixed in Vault Community Edition 2.0.0 and Vault Enterprise 2.0.0.
Background
generate-root and rekey are administrative operations used to manage sensitive cryptographic material. The generate-root process enables creation of a new root token through a quorum-based unseal key ceremony, while rekey rotates the unseal or recovery key shares. More information on key recovery operations can be found in the key recovery documentation page.
Details
Due to the unauthenticated nature of the sys/rekey, sys/generate-root, and sys/rekey-recovery-key, attackers can repeatedly initiate operations through an HTTP request, effectively causing the operation to be in a locked state. This may cause disruptions or lock our legitimate operations from an administrator or operator.
There are previous disclosures regarding rekey functionality:
Remediation
Customers should evaluate the risk associated with this issue and consider upgrading to Vault Community Edition 2.0.0 or Vault Enterprise 2.0.0. Please refer to Upgrading Vault for general guidance.
Customers who wish to revert the new functionality, please refer to https://developer.hashicorp.com/vault/docs/updates/important-changes#previously-unauthenticated-endpoints-require-authentication in the Vault release notes and important changes.
Acknowledgement
This issue was identified by XlabAI Team of Tencent Xuanwu Lab and the Atuin Automated Vulnerability Discovery Engine who reported it to HashiCorp.
We deeply appreciate any effort to coordinate disclosure of security vulnerabilities. For information about security at HashiCorp and the reporting of security vulnerabilities, please see https://hashicorp.com/security.